New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625037 link

Starred by 2 users
Status: Archived
Owner:
apronin@chromium.org
Closed: Dec 2016
Cc:
dkrahn@chromium.org
apronin@chromium.org
smbar...@chromium.org
katierh@chromium.org
keescook@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

tpm2: implement off-disk early-access key storage

Project Member Reported by dkrahn@chromium.org, Jul 1 2016 
cryptohome/mount-encrypted.c -- The approach is different for TPM 2.0.

https://docs.google.com/document/d/12nF-BnMQCKs-Y1RzR6Z9AcHvcdVM08bwy8B9i5RhUH8/edit#bookmark=id.c0lhta8zmsvg

Comment 1 by smbar...@chromium.org, Aug 4 2016

Cc: dkrahn@chromium.org
The more I look into this the messier it gets :(

Do we want to take the time to refactor lockbox/install_attributes/mount-encrypted, or do the quick and easy route? Lockbox already calls out to mount-encrypted to do finalization, so it wouldn't be unthinkable to have it stop pretending to be totally index-agnostic.

Comment 2 by dkrahn@chromium.org, Aug 4 2016

Cc: keescook@chromium.org
At this point the fastest route to get mount-encrypted working would be best IMO, as long as the design is being followed. The call-out that cryptohomed does to mount-encrypted doesn't touch the TPM at all (afaict) so that part shouldn't need to change.

+keescook - FYI

Comment 3 by keescook@chromium.org, Aug 8 2016 

cryptohomed touches the TPM (finalizes the lockbox), but the call to mount-encrypted doesn't touch the TPM: it's just cleaning up the key files on disk.
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 21 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/5d996696083b544179da32ece60247b166a17d57

commit 5d996696083b544179da32ece60247b166a17d57
Author: Stephen Barber <smbarber@chromium.org>
Date: Thu Aug 04 23:05:01 2016

tlcl: add implementations for GetOwnership and Read/WriteLock

mount-encrypted needs to be aware of TPM ownership status, and
will also want to issue a read lock for the early access NVRAM
index.

BRANCH=none
BUG= chromium:625037 
TEST=mount-encrypted shows ownership at boot with kevin

Change-Id: I42f43f91d892137e1c46c7cacd88e3b749ce7f04
Reviewed-on: https://chromium-review.googlesource.com/366443
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/5d996696083b544179da32ece60247b166a17d57/firmware/lib/tpm2_lite/tlcl.c
[modify] https://crrev.com/5d996696083b544179da32ece60247b166a17d57/firmware/include/tpm2_tss_constants.h
[modify] https://crrev.com/5d996696083b544179da32ece60247b166a17d57/firmware/lib/tpm2_lite/marshaling.c

Comment 5 by smbar...@chromium.org, Aug 22 2016 

FYI: I've mostly put this on the back burner as I deal with other kevin issues. I'm happy to tackle it once some of that has died down, but if it's urgent I can start working on this again.

Comment 6 by smbar...@chromium.org, Nov 16 2016

Cc: smbar...@chromium.org
Owner: ----
Status: Available (was: Assigned)

Comment 7 by apronin@chromium.org, Dec 2 2016

Owner: apronin@chromium.org
Status: Fixed (was: Available)
Fixed. Tracked here:
http://crosbug.com/p/54708
http://crosbug.com/p/59062
http://crosbug.com/p/59973

Comment 8 by dchan@google.com, Mar 4 2017

Labels: VerifyIn-58

Comment 9 by dchan@google.com, Apr 17 2017

Labels: VerifyIn-59

Comment 10 by dchan@google.com, May 30 2017

Labels: VerifyIn-60

Comment 11 by dchan@chromium.org, Aug 1 2017

Labels: VerifyIn-61

Comment 12 by dchan@chromium.org, Oct 14 2017

Status: Archived (was: Fixed)

Sign in to add a comment